[go: up one dir, main page]

CN114244607B - Single sign-on method, system, device, medium, and program - Google Patents

Single sign-on method, system, device, medium, and program Download PDF

Info

Publication number
CN114244607B
CN114244607B CN202111546258.8A CN202111546258A CN114244607B CN 114244607 B CN114244607 B CN 114244607B CN 202111546258 A CN202111546258 A CN 202111546258A CN 114244607 B CN114244607 B CN 114244607B
Authority
CN
China
Prior art keywords
application
unified
authentication center
back end
legal token
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111546258.8A
Other languages
Chinese (zh)
Other versions
CN114244607A (en
Inventor
王文勃
张展程
陈永浩
易卫华
赵琪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CCB Finetech Co Ltd
Original Assignee
CCB Finetech Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CCB Finetech Co Ltd filed Critical CCB Finetech Co Ltd
Priority to CN202111546258.8A priority Critical patent/CN114244607B/en
Publication of CN114244607A publication Critical patent/CN114244607A/en
Application granted granted Critical
Publication of CN114244607B publication Critical patent/CN114244607B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The present disclosure provides a single sign-on method, system, device, medium, and program. The method comprises the following steps: responding to a user login request, generating and sending verification information to a unified authentication center by the unified login interface; the unified authentication center performs validity check on the received check information, and when the check is successful, a legal token is sent to the unified login interface and is forwarded to the first application back end through the first application front end; and the first application back end sends the legal token to the unified authentication center for verification, and when the unified authentication center is successful in verification, the checked legal token is received and synchronized to the unified application back end, and the checked legal token is returned to the first application front end to complete single sign-on of the first application.

Description

Single sign-on method, system, device, medium, and program
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a single sign-on method, system, device, medium, and program.
Background
With the development of technology, the single sign-on method under the traditional WEB technology framework has hardly satisfied the complex demand problem brought by business development.
There is a need to modify the application of the traditional technical framework into an application based on a front-end and back-end separation technical framework, so as to meet more complex business requirements.
Disclosure of Invention
In view of the technical problems, the present disclosure provides a single sign-on method, system, device, medium, and program.
In a first aspect of the present disclosure, there is provided a single sign-on method, including: responding to a user login request, carrying out validity check on the received check information by the unified authentication center, and sending the legal token to the unified login interface and forwarding the legal token to the first application back end through the first application front end when the check is successful; and the first application back end sends the legal token to the unified authentication center for verification, and when the unified authentication center is successful in verification, the verified legal token is received and synchronized to the unified application back end, and the verified legal token is returned to the first application front end to complete single sign-on of the first application.
According to an embodiment of the present disclosure, the generating and sending, by the unified login interface, verification information to a unified authentication center includes: and the unified login interface acquires a public key from the unified authentication center, encrypts the verification information through the public key and transmits the verification information to the unified authentication center.
According to an embodiment of the present disclosure, the performing, by the unified authentication center, validity check on the received check information includes: decrypting the received verification information encrypted by the public key by the private key to obtain a decrypted file; encrypting the decryption file through MD5 and a specific salt value to obtain ciphertext data; and verifying the legality of the ciphertext data according to the ciphertext in the preset database.
According to an embodiment of the present disclosure, the plurality of application front ends further includes a second application front end, and the plurality of application back ends further includes a second application back end, wherein after the single sign-on of the first application is completed, the method further includes: responding to a query request by the back end of the second application, and returning a redirection instruction of the front end of the second application to jump to the unified login interface when the user is queried that the application is not logged in; transmitting verification information to the unified authentication center by the unified login interface to acquire a legal token; and the unified application back end responds to the unified login interface to acquire a public key from the unified authentication center, intercepts the verification information to perform validity verification, and sends the legal token to the unified application front end under the condition that the verification is successful.
According to an embodiment of the present disclosure, the method further comprises: redirecting to a second application front end by the unified application front end, and sending the legal token; the second application front end sends the legal token to the second application back end; forwarding the legal token to the unified authentication center by the second application back end; the unified authentication center performs validity check on the received legal token, and sends the legal token to the second application back end under the condition that the check is successful; and returning the second application front end by the second application back end to complete single sign-on of the second application.
According to an embodiment of the present disclosure, redirecting by the unified application front end to a second application front end and sending the legal token includes: and the legal token is received by the second application front end in a way of splicing the legal token through the URL address.
According to an embodiment of the present disclosure, the receiving the verified legal token is synchronized to the unified application backend, including: and storing the legal token in the cluster node by the unified application back end.
In a second aspect of the present disclosure, a single sign-on system is provided, where the unified application front end is configured to integrate a plurality of application front ends, where the plurality of application front ends includes at least a first application front end; the unified application back end is used for integrating a plurality of application back ends, and the application back ends at least comprise a first application back end; the unified login interface is used for responding to a user login request and generating and sending verification information to the unified authentication center; the unified authentication center is used for carrying out validity check on the received check information, and when the check is successful, a legal token is sent to the unified login interface and is forwarded to the first application back end through the first application front end; and the first application back end is used for sending the legal token to the unified authentication center for verification, receiving the verified legal token to be synchronized to the unified application back end when the unified authentication center is successful in verification, and returning the verified legal token to the first application front end to complete single sign-on of the first application.
According to an embodiment of the disclosure, the unified login interface is further configured to obtain a public key from the unified authentication center, encrypt the verification information with the public key, and transmit the encrypted verification information to the unified authentication center.
According to the embodiment of the disclosure, the unified application front end further comprises a second application front end, and the unified application back end further comprises a second application back end, wherein the second application back end is used for responding to a query request, and returning a redirection instruction of the second application front end to jump to the unified login interface when a user is queried that the application is not logged in; the unified login interface is used for sending verification information to the unified authentication center to obtain a legal token; the unified application back end is further configured to intercept the verification information to perform validity verification in response to the unified login interface obtaining a public key from the unified authentication center, and send the legal token to the unified application front end if verification is successful.
According to an embodiment of the disclosure, the unified application front end is configured to redirect to a second application front end and send the legal token; the second application front end is further configured to send the legal token to the second application back end; the second application back end is further used for forwarding the legal token to the unified authentication center; the unified authentication center is further used for carrying out validity verification on the received legal token, and sending the legal token to the second application back end under the condition that verification is successful; and the second application back end is further used for returning to the second application front end to complete single sign-on of the second application.
In a third aspect of the present disclosure, there is provided an electronic device, comprising: one or more processors; and a memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the single sign-on method described above.
In a fourth aspect of the present disclosure, a computer-readable storage medium is provided having stored thereon executable instructions that, when executed by a processor, cause the processor to perform the single sign-on method described above.
In a fifth aspect of the present disclosure, a computer program product is provided, comprising a computer program which, when executed by a processor, performs the method of single sign-on described above.
Drawings
The foregoing and other objects, features and advantages of the disclosure will be more apparent from the following description of embodiments of the disclosure with reference to the accompanying drawings, in which:
fig. 1 schematically illustrates an application scenario diagram of a single sign-on method according to an embodiment of the present disclosure.
Fig. 2 schematically illustrates a block diagram of a unified application front end and a unified application back end according to an embodiment of the present disclosure.
Fig. 3A schematically illustrates a flow chart of a single sign-on method according to an embodiment of the disclosure.
Fig. 3B schematically illustrates a flow chart of another single sign-on method according to an embodiment of the disclosure.
Fig. 4A schematically illustrates a flow chart for single sign-on in case an application is not logged in according to an embodiment of the disclosure.
Fig. 4B schematically illustrates a flow chart of single sign-on for fast sign-on of a second application by means of a legal token generated in the sign-on process of the first application in case the first application has been signed in, according to an embodiment of the disclosure.
Fig. 5 schematically illustrates a schematic diagram of cluster node authentication according to an embodiment of the disclosure.
Fig. 6 schematically shows a schematic diagram of different application architectures according to an embodiment of the present disclosure.
Fig. 7 schematically illustrates a block diagram of a single sign-on system in accordance with an embodiment of the present disclosure.
Fig. 8 schematically illustrates a block diagram of an electronic device adapted to implement a single sign-on method in accordance with an embodiment of the disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is only exemplary and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the present disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and/or the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It should be noted that the terms used herein should be construed to have meanings consistent with the context of the present specification and should not be construed in an idealized or overly formal manner.
Where expressions like at least one of "A, B and C, etc. are used, the expressions should generally be interpreted in accordance with the meaning as commonly understood by those skilled in the art (e.g.," a system having at least one of A, B and C "shall include, but not be limited to, a system having a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
Before describing the technical solutions of the present disclosure, technical terms in the art are described as follows:
Single sign-on: single Sign On, abbreviated SSO, is one of the more popular solutions for business integration in enterprises. SSO is defined as the ability of a user to access all mutually trusted applications by logging in only once in multiple applications.
CAS: an enterprise-level, open-source project initiated by the university of Yes is intended to provide a reliable single sign-on solution for Web applications.
Front-rear end separation: here, front-end and back-end separation refers not only to separation of front-end development from back-end development, but more importantly to separation of front-end deployment from back-end deployment.
Clustering: a cluster is a group of mutually independent computers interconnected by a high-speed network, which form a group and are managed in a single system mode. When a client interacts with a cluster, the cluster appears as an independent server. Cluster configuration is used to increase availability and scalability.
Java SPI: SPI, commonly known as Service Provider Interface, is a Java-provided set of interfaces for third-party implementation or extension that can be used to enable framework extensions and replacement components. The role of the SPI is to find service implementations for these extended APIs.
SM2: SM2 is elliptic curve public key cryptographic algorithm issued by the national cryptographic administration at 12/17 2010 and is an asymmetric domestic encryption algorithm.
Ajax (async javascript and XML): asynchronous javascript and XML for background and server small data exchange.
Logging in environment dynamic switching: the method is characterized in that the authentication environment of the application is used by some application in the online early login environment, and the login environment of the application needs to be switched to an upstream authentication environment along with the change of a service scene, so that the online dynamic switching of the login environment is realized.
Cross-domain: it means that when any one of the protocol, domain name and port of a request URL is different from the URL of the current page, it is the cross-domain.
Specific salt value: a set of strings is randomly generated, which may include random case letters, numbers, characters. The number of bits may be defined as desired.
http protocol 302 status code: the client continues to request the client to perform a temporary redirect to the original address.
In the prior art, the following problems are often faced;
first, integrating CAS adaptations into front-to-back end separate projects requires extensive technical adaptations. CAS is based on clients and servers to be responsible for authentication work, does not integrate technical frameworks for new and old applications, needs each application to install clients, and is too heavy.
Second, the conventional single sign-on method usually solves the problem of single sign-on by mutual transmission of the authentication information of the intermediate address and page skip, which causes waiting and unnecessary visual skip problems for the user. In the traditional single sign-on method, under the scene of application cluster deployment, two methods are provided for guaranteeing unified cluster node authentication information, the first method is to check the unified authentication center in each request, and the problem is that a large number of requests bring service pressure to the unified authentication center; the second method is to cache the user authentication information through a third party middleware service such as redis, and the additional effort is to deploy the third party middleware, which is not applicable to some scenes requiring easy deployment.
Thirdly, in the prior art, the single sign-on solution does not support dynamic switching of the login scene at present; there is no solution provided for single sign-on fast integration between different technology architecture web applications.
The embodiment of the disclosure provides a single sign-on method, which comprises the following steps:
responding to a user login request, generating and sending verification information to a unified authentication center by the unified login interface; the unified authentication center performs validity check on the received check information, and when the check is successful, a legal token is sent to the unified login interface and is forwarded to the first application back end through the first application front end; and the first application back end sends the legal token to the unified authentication center for verification, and when the unified authentication center is successful in verification, the checked legal token is received and synchronized to the unified application back end, and the checked legal token is returned to the first application front end to complete single sign-on of the first application.
The embodiment of the disclosure is suitable for single sign-on under the condition that a user does not have a legal token in the single sign-on system. And after the first application back end acquires the legal token, the legal token is sent to the unified authentication center for verification again. The correctness of the legal token is ensured. And storing the legal token in the first application back end into the unified application back end, so that the unified application back end replaces the unified authentication center for verification to relieve the processing pressure of the unified authentication center in most cases.
Fig. 1 schematically illustrates an application scenario diagram of a single sign-on method according to an embodiment of the present disclosure.
As shown in fig. 1, an application scenario 100 according to this embodiment may include terminal devices 101, 102, 103, a network 104, and a server 105. The network 104 is used as a medium to provide communication links between the terminal devices 101, 102, 103 and the server 105. The network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
The user may interact with the server 105 via the network 104 using the terminal devices 101, 102, 103 to receive or send messages or the like. Various communication client applications, such as shopping class applications, web browser applications, search class applications, instant messaging tools, mailbox clients, social platform software, etc. (by way of example only) may be installed on the terminal devices 101, 102, 103.
The terminal devices 101, 102, 103 may be a variety of electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablets, laptop and desktop computers, and the like.
The server 105 may be a server providing various services, such as a background management server (by way of example only) providing support for websites browsed by users using the terminal devices 101, 102, 103. The background management server may analyze and process the received data such as the user request, and feed back the processing result (e.g., the web page, information, or data obtained or generated according to the user request) to the terminal device.
It should be noted that, the single sign-on method provided in the embodiments of the present disclosure may be generally performed by the server 105. Accordingly, the single sign-on system provided by embodiments of the present disclosure may be generally disposed in the server 105. The single sign-on method provided by the embodiments of the present disclosure may also be performed by a server or cluster of servers other than the server 105 and capable of communicating with the terminal devices 101, 102, 103 and/or the server 105. Accordingly, the single sign-on system provided by the embodiments of the present disclosure may also be provided in a server or server cluster that is different from the server 105 and is capable of communicating with the terminal devices 101, 102, 103 and/or the server 105.
It should be understood that the number of terminal devices, networks and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
The single sign-on method of the embodiment of the present disclosure will be described in detail below with reference to the scenario described in fig. 1, by fig. 2 to 6.
Fig. 2 schematically illustrates a block diagram of a unified application front end and a unified application back end according to an embodiment of the present disclosure.
As shown in fig. 2, this embodiment provides a unified application front end 210, a unified application back end 220. The unified application front end 210 includes a plurality of application front ends, including at least a first application front end 211 and a second application front end 212; the unified application backend 220 includes a plurality of application backend, including at least a first application backend 221 and a second application backend 222. The method comprises the following steps:
the unified application front end 210 may integrate multiple application front ends, each of which may provide a service resource of the front end and a front end authentication process and/or the unified application front end 210 may provide a service resource of the front end and a front end authentication process.
The unified application back end 220 may integrate multiple application back ends, each of which may provide application services of the back end and authentication security of the back end and/or the unified application back end 220 may provide application services of the back end and authentication security of the back end.
It should be understood that the number of application front-ends and application back-ends in fig. 2 is merely illustrative. There may be any number of application front-ends and application back-ends, as desired for implementation.
Fig. 3A schematically illustrates a flow chart of a single sign-on method according to an embodiment of the disclosure.
As shown in fig. 3A and fig. 4A in combination, this embodiment provides a single sign-on method, where the method is applied to single sign-on in a case where a user does not sign-on, and the method includes operations S311-S313, specifically as follows:
in operation S311, verification information is generated and transmitted to the unified authentication center by the unified login interface in response to the user login request.
According to the embodiment of the disclosure, the first application back end responds to the query request, and returns the first application front end redirection instruction to jump to the unified login interface to complete triggering of the user login request when the user is queried that the application is not logged in.
According to the embodiment of the disclosure, the first application front end receives an access request from a user, converts the access request into a query request and sends the query request to the first application back end. Specifically, when the user accesses the URL of the first application front end through the browser, the first application front end is triggered to respond to the access request. And the query request can be sent by adopting an ajax technology, and the ajax technology is suitable for front-end and back-end communication.
According to an embodiment of the present disclosure, the unregistered state includes: historically never successfully logged in and historically successfully logged in but the age has expired. The user login request is performed in a state of triggering the user to not login.
According to an embodiment of the disclosure, the specific instruction includes http protocol 302 status code information to require the user browser side to redirect to the unified login interface. Specifically, the unified login interface after redirection processing stores a URL of the first application front end, so that redirection is performed by the unified login interface to the first application front end in a later operation.
According to an embodiment of the disclosure, a public key is obtained from the unified authentication center by the unified login interface. And encrypting the verification information through the public key and transmitting the verification information to the unified authentication center. In particular, the public key may employ an SM2 encryption algorithm.
According to the embodiment of the disclosure, the verification information comprises an account number and a password.
According to the embodiment of the disclosure, the legal token can be a token, and the token can not only distinguish users, but also be used for representing the rights of the users and the validity period of the token. Accordingly, the history token is a historically used token.
According to the embodiment of the disclosure, the unified login interface acquires a public key from the unified authentication center, encrypts the verification information through the public key, and transmits the encrypted verification information to the unified authentication center. Specifically, the communication between the unified login interface and the unified authentication center is based on ajax technology.
In operation S312, the unified authentication center performs validity check on the received check information, and when the check is successful, sends a legal token to the unified login interface, and forwards the legal token to the first application back end via the first application front end.
According to an embodiment of the present disclosure, the validity check includes: decrypting the received account password encrypted by the public key by the private key to obtain a decrypted file; encrypting the decryption file through MD5 and a specific salt value to obtain ciphertext data; and verifying the legality of the ciphertext data according to the ciphertext in the preset database. It should be noted that the purpose of adding a specific salt value is to enhance the security of the MD5 encryption algorithm, and a randomly generated character string is added to the algorithm part.
In operation S313, the first application back end sends the legal token to the unified authentication center for verification, and when the unified authentication center verifies successfully, the checked legal token is received and synchronized to the unified application back end, and the checked legal token is returned to the first application front end to complete single sign-on of the first application.
According to an embodiment of the present disclosure, the receiving and synchronizing the verified legal token to the unified application backend includes: and storing the legal token in the cluster node by the unified application back end.
According to the embodiment of the disclosure, the authority of the legal token is queried by the first application back end, and related service resources are returned to the front end to provide services.
It should be noted that, for ease of understanding, the unified login interface and the unified authentication center in the present application may be regarded as being independent of the existence of the unified application front end and the unified application back end. In particular, the unified authentication center can be regarded as an independent application, and the position of the unified authentication center for storing the token information is independent of the position of the token information stored in the back end of the unified application.
The embodiment of the disclosure is suitable for single sign-on under the condition that a user does not have a legal token in the single sign-on system. And after the first application back end acquires the legal token, the legal token is sent to the unified authentication center for verification again. The correctness of the legal token is ensured. And storing the legal token in the first application back end into the unified application back end, so that the unified application back end replaces the unified authentication center for verification to relieve the processing pressure of the unified authentication center in most cases.
Fig. 3B schematically illustrates a flow chart of another single sign-on method according to an embodiment of the disclosure.
As shown in conjunction with fig. 3B and fig. 4B, this embodiment provides another single sign-on method, which includes operations S321-S328, and is applied to a flowchart of single sign-on for quickly logging in a second application by means of a legal token generated in the logging-in process of the first application, where the first application is logged in, specifically as follows:
in operation S321, the second application back end responds to the query request, and returns the second application front end redirection instruction to jump to the unified login interface when the user is queried that the application is not logged in.
According to the embodiment of the disclosure, after the first application is successfully logged in through the unified login interface, the access address of the second application is directly input on the browser, so that the front end of the second application receives the trigger of the query request.
In operation S322, the unified login interface transmits verification information to the unified authentication center to acquire a legal token.
According to an embodiment of the present disclosure, the verification information is a historically generated legal token.
In operation S323, the unified application back end responds to the unified login interface to obtain the public key from the unified authentication center, intercepts the verification information to perform validity verification, and sends the legal token to the unified application front end if the verification is successful.
Specifically, under the condition that the verification is successful, the unified application back end returns a specific http state code, and the token is written into the header in the response body. And sending the data to a unified front-end authentication processing module.
It should be noted that, since the first application or a certain application is logged in historically, the unified login interface stores token information in the process of logging in the first application historically, but the token needs to be further checked whether it is legal (for example, whether it is out of date or not), so according to the method in fig. 3A, it needs to be checked by the unified authentication center, but since the back end of the unified application has cached a legal token for checking, the back end of the unified application intercepts and intercepts the check information, and replaces the function of the unified authentication center to relieve the throughput pressure of the unified authentication center.
In operation S324, the unified application front end redirects to the second application front end and sends the legal token.
It should be noted that, in operations S323 to S324, the unified application back end may also obtain the public key from the unified authentication center in response to the unified login interface, intercept the verification information to perform validity verification, send the legal token to the unified login interface if the verification is successful, then redirect the legal token to the second application front end through the unified login interface, and send the legal token at the same time. However, when the scheme is adopted, unnecessary interface jumps are visually increased, and single sign-on experience of a user is affected.
According to the embodiment of the disclosure, the legal token is received by the second application front end in a mode of splicing the legal token through the URL address.
In operation S325, the legal token is sent by the second application front end to the second application back end.
According to an embodiment of the present disclosure, legal token information of the URL address backend is identified by the second application front end.
In operation S326, the second application backend forwards the legal token to the unified authentication center.
In operation S327, the unified authentication center performs validity verification on the received legal token, and if the verification is successful, sends the legal token to the second application back end.
In operation S328, the second application back-end returns to the second application front-end to complete single sign-on of the second application.
It should be noted that, when a user accesses an application through a single sign-on mode, it needs to determine whether the address accessed next has a cross-domain, and under the cross-domain condition, the user splices the URL of the skipped destination application according to the token stored in the unified login interface in the system and uses the operations of S324-S328 to access; in the case of no cross-domain, direct access is sufficient. For the cross-domain case, the user needs to spend a little more time accessing the unified login interface. In practical use, only a small part of single sign-on scenes need to be accessed in a jumping way through a unified login interface.
The embodiment of the disclosure is suitable for single sign-on under the condition that a certain application is logged in. The unified application back end replaces the unified authentication center to carry out validity check, so that the authentication service pressure of the unified authentication center can be greatly reduced; meanwhile, the unified login interface is token information transmitted by the login page independent of the front end of the unified application and the back end of the unified application, so that the embodiment of the disclosure supports cross-domain login.
Fig. 5 schematically illustrates a schematic diagram of cluster node authentication according to an embodiment of the disclosure.
As shown in fig. 5, in practice, each node in the cluster caches a token, which is used for recording authentication information of a user, and the token cached by different nodes is different and can be classified into three types: 1. uncached token;2. cached token, but expired; 3. the token is cached and does not expire. The key logic is that the unified authentication center stores the token which is real-time and accurate, the forward validity of the token stored by any node in the cluster is higher than that of the unified authentication center, and the reverse validity is lower than that of the unified authentication center, namely if the authentication of the user on the node fails, the user is not an unauthorized user, and the user needs to go to the unified authentication center for further verification; if a user is authenticated successfully at a node, then the user must be an authorized user.
As shown in fig. 3A and fig. 5 in conjunction, "the first application back end sends the legal token to the unified authentication center for verification in operation S314, and when the unified authentication center verifies successfully, the checked legal token is received and synchronized to the unified application back end", there are the following two cases:
in the first case, at "node 1: when the token is not cached locally, the node 1 caches and sets the token after the token authentication is successful.
In the second case, at "node 2: when the token is locally cached and the token is expired, the valid period of the token cached by the node 2 is refreshed after the token is successfully authenticated.
As shown in fig. 3B and 5, in operation S323, the unified application back end responds to the unified login interface to obtain the public key from the unified authentication center, intercepts the verification information to perform validity verification, and sends the legal token to the unified application front end if the verification is successful,
third, at "node 3: when the token is cached locally and not expired, the node 3 in the application cluster directly performs token validity authentication.
In the third case, if token verification fails in the node 3 corresponding to the unified application back end, further verification needs to be performed in the unified authentication center.
According to the embodiment of the disclosure, the method for caching legal tokens by the cluster nodes corresponding to the unified application center is suitable for some simply deployed environments, and does not need a third party to cache middleware.
Fig. 6 schematically shows a schematic diagram of different application architectures according to an embodiment of the present disclosure.
As shown in fig. 6, when an application of a new technology framework (hereinafter referred to as a new application) needs to be integrated into an application of an old technology framework (hereinafter referred to as an old application), for a single sign-on integration scheme provided by the old application, the new application needs to be adapted, for example, the old application is a single sign-on implemented based on a CAS technology framework, and then the new application needs to integrate a CAS client; the old application is single sign-on realized by a technical framework of self-grinding SDK, and then the new application needs to integrate the SDK client; if the old application provides the API mode, the new application needs to integrate single sign-on in an http mode; the single sign-on processing modules are integrated through the unified application back end, and then the dynamic switching of the mutual trust of the web applications of different technical architectures is realized through Java SPI.
When an old application needs to be integrated into a new application, a unified authentication center of the new application provides two ways: 1. a perfect SDK;2. rich RESTful API interfaces. The old application can select a proper integration mode according to actual conditions, and only a proper amount of modification is performed to integrate the old application into the new application.
The disclosure also provides a single sign-on system. The single sign-on system will be described in detail below in connection with fig. 7.
Based on the single sign-on method, the disclosure also provides a single sign-on system. The single sign-on system will be described in detail below in connection with fig. 7.
Fig. 7 schematically illustrates a block diagram of a single sign-on system in accordance with an embodiment of the present disclosure.
As shown in connection with fig. 7 and 2, the single sign-on system 700 of this embodiment includes a unified application front end 210, a unified application back end 220, a unified login interface 710, and a unified authentication center 720. Wherein,,
the unified application front end 210 is configured to integrate a plurality of application front ends, where the plurality of application front ends includes at least a first application front end 211;
the unified application backend 220 is configured to integrate a plurality of application backend, where the plurality of application backend includes at least a first application backend 221;
the unified login interface 710 is configured to generate and send verification information to the unified authentication center 720 in response to a user login request;
the unified authentication center 720 is configured to perform validity check on the received check information, and send a legal token to the unified login interface 710 when the check is successful, where the legal token is forwarded to the first application back end 221 via the first application front end 211; and
The first application back end 221 is configured to send the legal token to the unified authentication center 720 for verification, and when the unified authentication center 720 is successful in verification, receive the verified legal token and synchronize to the unified application back end 220, and return the verified legal token to the first application front end 211 to complete single sign-on for the first application.
According to embodiments of the present disclosure, any of the plurality of modules in the unified application front end 210, the unified application back end 220, the unified login interface 710, and the unified authentication center 720 may be combined in one module to be implemented, or any of the plurality of modules may be split into a plurality of modules. Alternatively, at least some of the functionality of one or more of the modules may be combined with at least some of the functionality of other modules and implemented in one module. According to embodiments of the present disclosure, at least one of the unified application front end 210, the unified application back end 220, the unified login interface 710, and the unified authentication center 720 may be implemented at least in part as hardware circuitry, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in hardware or firmware in any other reasonable way of integrating or packaging the circuitry, or in any one of or a suitable combination of three of software, hardware, and firmware. Alternatively, at least one of the unified application front end 210, the unified application back end 220, the unified login interface 710, and the unified authentication center 720 may be at least partially implemented as computer program modules that, when executed, perform the corresponding functions.
Fig. 8 schematically illustrates a block diagram of an electronic device adapted to implement a method of single sign-on in accordance with an embodiment of the present disclosure.
As shown in fig. 8, an electronic device 800 according to an embodiment of the present disclosure includes a processor 801 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 802 or a program loaded from a storage section 808 into a Random Access Memory (RAM) 803. The processor 801 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or an associated chipset and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), or the like. The processor 801 may also include on-board memory for caching purposes. The processor 801 may include a single processing unit or multiple processing units for performing the different actions of the method flows according to embodiments of the disclosure.
In the RAM 803, various programs and data required for the operation of the electronic device 800 are stored. The processor 801, the ROM 802, and the RAM 803 are connected to each other by a bus 804. The processor 801 performs various operations of the method flow according to the embodiments of the present disclosure by executing programs in the ROM 802 and/or the RAM 803. Note that the program may be stored in one or more memories other than the ROM 802 and the RAM 803. The processor 801 may also perform various operations of the method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.
According to an embodiment of the present disclosure, the electronic device 800 may also include an input/output (I/O) interface 805, the input/output (I/O) interface 805 also being connected to the bus 804. The electronic device 800 may also include one or more of the following components connected to the I/O interface 805: an input portion 806 including a keyboard, mouse, etc.; an output portion 807 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and a speaker; a storage section 808 including a hard disk or the like; and a communication section 809 including a network interface card such as a LAN card, a modem, or the like. The communication section 809 performs communication processing via a network such as the internet. The drive 810 is also connected to the I/O interface 805 as needed. A removable medium 811 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 810 as needed so that a computer program read out therefrom is mounted into the storage section 808 as needed.
The present disclosure also provides a computer-readable storage medium that may be embodied in the apparatus/device/system described in the embodiments; or may exist alone without being assembled into the apparatus/device/system. The computer-readable storage medium carries one or more programs which, when executed, implement methods in accordance with embodiments of the present disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example, but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, the computer-readable storage medium may include ROM 802 and/or RAM 803 and/or one or more memories other than ROM 802 and RAM 803 described above.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the methods shown in the flowcharts. The program code, when executed in a computer system, causes the computer system to implement the item recommendation method provided by embodiments of the present disclosure.
The described functions defined in the system/apparatus of the embodiments of the present disclosure are performed when the computer program is executed by the processor 801. The systems, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
In one embodiment, the computer program may be based on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted, distributed, and downloaded and installed in the form of a signal on a network medium, and/or from a removable medium 811 via a communication portion 809. The computer program may include program code that may be transmitted using any appropriate network medium, including but not limited to: wireless, wired, etc., or any suitable combination thereof.
In such an embodiment, the computer program may be downloaded and installed from a network via the communication section 809, and/or installed from the removable media 811. The functions defined in the system of the embodiments of the present disclosure are performed when the computer program is executed by the processor 801. The systems, devices, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
According to embodiments of the present disclosure, program code for performing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, such computer programs may be implemented in high-level procedural and/or object-oriented programming languages, and/or assembly/machine languages. Programming languages include, but are not limited to, such as Java, c++, python, "C" or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that the features recited in the various embodiments of the disclosure and/or in the claims may be provided in a variety of combinations and/or combinations, even if such combinations or combinations are not explicitly recited in the disclosure. In particular, the features recited in the various embodiments of the present disclosure and/or the claims may be variously combined and/or combined without departing from the spirit and teachings of the present disclosure. All such combinations and/or combinations fall within the scope of the present disclosure.
The embodiments of the present disclosure are described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described above separately, this does not mean that the measures in the embodiments cannot be used advantageously in combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be made by those skilled in the art without departing from the scope of the disclosure, and such alternatives and modifications are intended to fall within the scope of the disclosure.

Claims (13)

1. A single sign-on method is characterized in that the method is applied to a single sign-on system, the system comprises a unified application front end, a unified application back end, a unified login interface and a unified authentication center, wherein a plurality of application front ends are integrated in the unified application front end, the plurality of application front ends at least comprise a first application front end and a second application front end, a plurality of application back ends are integrated in the unified application back end, the plurality of application back ends at least comprise a first application back end and a second application back end,
The method comprises the following steps:
responding to a query request by the back end of the second application, and returning a redirection instruction of the front end of the second application to jump to the unified login interface when the user is queried that the second application is not logged in;
the unified login interface sends second verification information to the unified authentication center to obtain a legal token, wherein the legal token is generated after the first verification information is subjected to validity verification by the unified authentication center in response to a user login request of a user to login a first application, and is synchronized to the back end of the unified application by the back end of the first application;
and the unified application back end responds to the public key acquired from the unified authentication center by the unified login interface, intercepts second verification information to perform validity verification, and sends the legal token to the unified application front end under the condition that verification is successful.
2. The method of claim 1, wherein prior to said sending, by the unified logon interface, second verification information to the unified authentication center for obtaining a legal token, the method further comprises:
responding to a user login request, generating and sending first check information to a unified authentication center by the unified login interface;
The unified authentication center performs validity check on the received first check information, and when the check is successful, a legal token is sent to the unified login interface and is forwarded to the first application back end through the first application front end; and
and the first application back end sends the legal token to the unified authentication center for verification, and when the unified authentication center is successful in verification, the checked legal token is received and synchronized to the unified application back end, and the checked legal token is returned to the first application front end to complete single sign-on of the first application.
3. The method of claim 2, wherein the generating and sending the first verification information by the unified logon interface to a unified authentication center comprises:
and the unified login interface acquires a public key from the unified authentication center, encrypts the first verification information through the public key and transmits the encrypted first verification information to the unified authentication center.
4. A method according to claim 3, wherein the verifying the validity of the received first verification information by the unified authentication center comprises:
Decrypting the received first verification information encrypted by the public key by the private key to obtain a decrypted file;
encrypting the decryption file through MD5 and a specific salt value to obtain ciphertext data; and
and verifying the legality of the ciphertext data according to the ciphertext in the preset database.
5. The method according to claim 1, wherein the method further comprises:
redirecting to a second application front end by the unified application front end, and sending the legal token;
the second application front end sends the legal token to the second application back end;
forwarding the legal token to the unified authentication center by the second application back end;
the unified authentication center performs validity check on the received legal token, and sends the legal token to the second application back end under the condition that the check is successful; and
and returning the second application back end to the second application front end to finish single sign-on of the second application.
6. The method of claim 5, wherein redirecting by the unified application front end to a second application front end and sending the legal token comprises:
And the legal token is received by the second application front end in a way of splicing the legal token through the URL address.
7. A method according to claim 2 or 3, wherein the receiving the verified legal token is synchronized to the unified application backend, comprising: and storing the legal token in the cluster node by the unified application back end.
8. A front-end and back-end single sign-on system, the system comprising: a unified application front end, a unified application back end, a unified login interface, and a unified authentication center, wherein,
the unified application front end is used for integrating a plurality of application front ends, and the application front ends at least comprise a first application front end and a second application front end;
the unified application back end is used for integrating a plurality of application back ends, and the application back ends at least comprise a first application back end and a second application back end;
the second application back end is used for responding to the query request, and returning a redirection instruction of the second application front end to jump to the unified login interface when the user is queried that the application is not logged in;
the unified login interface is used for sending second verification information to the unified authentication center to obtain a legal token, wherein the legal token is generated after the first verification information is subjected to validity verification by the unified authentication center in response to a user login request of a user to login a first application, and is synchronized to the unified application back end by the first application back end;
The unified application back end is used for intercepting the second verification information to perform validity verification in response to the public key acquired from the unified authentication center by the unified login interface, and sending the legal token to the unified application front end under the condition that verification is successful.
9. The system of claim 8, wherein the system further comprises a controller configured to control the controller,
the unified login interface is used for responding to a user login request and generating and sending first check information to the unified authentication center;
the unified authentication center is further used for carrying out validity check on the received first check information, and when the check is successful, a legal token is sent to the unified login interface and is forwarded to the first application rear end through the first application front end; and
the first application back end is further used for sending the legal token to the unified authentication center for verification, receiving the verified legal token to be synchronized to the unified application back end when the unified authentication center is successful in verification, and returning the verified legal token to the first application front end to complete single sign-on of the first application.
10. The system of claim 9, wherein the system further comprises a controller configured to control the controller,
The unified login interface is further configured to obtain a public key from the unified authentication center, encrypt the first verification information with the public key, and then transmit the encrypted first verification information to the unified authentication center.
11. The system of any one of claims 8-10, wherein,
the unified application front end is used for redirecting to the second application front end and sending the legal token;
the second application front end is further configured to send the legal token to the second application back end;
the second application back end is further used for forwarding the legal token to the unified authentication center;
the unified authentication center is further used for carrying out validity verification on the received legal token, and sending the legal token to the second application back end under the condition that verification is successful; and
and the second application back end is also used for returning to the second application front end to finish single sign-on of the second application.
12. An electronic device, comprising:
one or more processors;
storage means for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-7.
13. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method according to any of claims 1-7.
CN202111546258.8A 2021-12-16 2021-12-16 Single sign-on method, system, device, medium, and program Active CN114244607B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111546258.8A CN114244607B (en) 2021-12-16 2021-12-16 Single sign-on method, system, device, medium, and program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111546258.8A CN114244607B (en) 2021-12-16 2021-12-16 Single sign-on method, system, device, medium, and program

Publications (2)

Publication Number Publication Date
CN114244607A CN114244607A (en) 2022-03-25
CN114244607B true CN114244607B (en) 2023-06-30

Family

ID=80757347

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111546258.8A Active CN114244607B (en) 2021-12-16 2021-12-16 Single sign-on method, system, device, medium, and program

Country Status (1)

Country Link
CN (1) CN114244607B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109587133A (en) * 2018-11-30 2019-04-05 武汉烽火众智智慧之星科技有限公司 A kind of single-node login system and method
CN110765443A (en) * 2019-10-24 2020-02-07 深圳前海环融联易信息科技服务有限公司 Single sign-on method and device, computer equipment and storage medium
CN111786996A (en) * 2020-06-30 2020-10-16 北京同邦卓益科技有限公司 Cross-domain synchronous login state method and device and cross-domain synchronous login system
CN112468481A (en) * 2020-11-23 2021-03-09 西安西热电站信息技术有限公司 Single-page and multi-page web application identity integrated authentication method based on CAS
CN112995131A (en) * 2021-02-01 2021-06-18 北京拉勾网络技术有限公司 Page login method, system and computing device
CN113179254A (en) * 2021-04-01 2021-07-27 杭州数跑科技有限公司 System login method and device, electronic equipment and storage medium
US11159326B1 (en) * 2019-08-29 2021-10-26 Hiro Systems Pbc Client-side authentication system and associated method

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109587133A (en) * 2018-11-30 2019-04-05 武汉烽火众智智慧之星科技有限公司 A kind of single-node login system and method
US11159326B1 (en) * 2019-08-29 2021-10-26 Hiro Systems Pbc Client-side authentication system and associated method
CN110765443A (en) * 2019-10-24 2020-02-07 深圳前海环融联易信息科技服务有限公司 Single sign-on method and device, computer equipment and storage medium
CN111786996A (en) * 2020-06-30 2020-10-16 北京同邦卓益科技有限公司 Cross-domain synchronous login state method and device and cross-domain synchronous login system
CN112468481A (en) * 2020-11-23 2021-03-09 西安西热电站信息技术有限公司 Single-page and multi-page web application identity integrated authentication method based on CAS
CN112995131A (en) * 2021-02-01 2021-06-18 北京拉勾网络技术有限公司 Page login method, system and computing device
CN113179254A (en) * 2021-04-01 2021-07-27 杭州数跑科技有限公司 System login method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN114244607A (en) 2022-03-25

Similar Documents

Publication Publication Date Title
US11676133B2 (en) Method and system for mobile cryptocurrency wallet connectivity
US11665146B2 (en) Migrating authenticated content towards content consumer
US20190173871A1 (en) Using application level authentication for network login
CN110048848B (en) Method, system and storage medium for sending session token through passive client
US9124569B2 (en) User authentication in a cloud environment
US9584615B2 (en) Redirecting access requests to an authorized server system for a cloud service
US20100043065A1 (en) Single sign-on for web applications
US10911485B2 (en) Providing cross site request forgery protection at an edge server
KR20220039800A (en) Attestation of anonymous events through group signatures
CN104158818A (en) Single sign-on method and system
US20220232062A1 (en) Forced identification with automated post resubmission
CN113949566B (en) Resource access method, device, electronic equipment and medium
US9191201B1 (en) Optimizing secure communications
JP7018455B2 (en) Systems and methods to prevent session fixation on the domain portal
CN114244607B (en) Single sign-on method, system, device, medium, and program
CN114500031B (en) System, method, electronic equipment and medium for acquiring BI report based on single sign-on
CN119232800B (en) CDN edge node access request processing method, device and computer equipment
EP3407561B1 (en) Systems and methods for preventing sessions fixation over a domain portal
Pokherl Secure Web System in a Cloud Environment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant